bisecting cause commit starting from 1996cf46e4673a25ef2478eb266714f409a98221
building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7
testing commit 1996cf46e4673a25ef2478eb266714f409a98221 with gcc (GCC) 8.1.0
kernel signature: 55750ee83935f6e18326894e704e18a7942e0d5860dad8b267c5ed77113cf080
run #0: crashed: INFO: task hung in addrconf_dad_work
run #1: crashed: INFO: task hung in linkwatch_event
run #2: crashed: INFO: task hung in linkwatch_event
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in linkwatch_event
run #5: crashed: INFO: task hung in linkwatch_event
run #6: crashed: INFO: task hung in linkwatch_event
run #7: crashed: INFO: task hung in addrconf_dad_work
run #8: crashed: INFO: task hung in addrconf_dad_work
run #9: crashed: INFO: task hung in linkwatch_event
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: ceb4b46391972a2d8edc2835f59daa66cab8fee1c883d3b0efcf81ee28447335
run #0: crashed: INFO: task hung in linkwatch_event
run #1: crashed: INFO: task hung in switchdev_deferred_process_work
run #2: crashed: INFO: task hung in addrconf_dad_work
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in linkwatch_event
run #5: crashed: INFO: task hung in addrconf_dad_work
run #6: crashed: INFO: task hung in addrconf_dad_work
run #7: crashed: INFO: task hung in addrconf_dad_work
run #8: crashed: INFO: task hung in addrconf_dad_work
run #9: boot failed: can't ssh into the instance
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 3af92d0dfbc03635b45a617ea66adbe5e07138f418cfbc3e4b7ceefd32652312
run #0: crashed: INFO: task hung in addrconf_dad_work
run #1: crashed: INFO: task hung in linkwatch_event
run #2: crashed: INFO: task hung in addrconf_dad_work
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in addrconf_dad_work
run #5: crashed: INFO: task hung in linkwatch_event
run #6: crashed: INFO: task hung in linkwatch_event
run #7: crashed: INFO: task hung in addrconf_dad_work
run #8: crashed: INFO: task hung in addrconf_dad_work
run #9: crashed: INFO: task hung in addrconf_dad_work
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 7d1aec868fc5311380f0aad2d3b142ae64f6e3ffb611adb32005aca350c42c06
run #0: crashed: INFO: task hung in linkwatch_event
run #1: crashed: INFO: task hung in addrconf_dad_work
run #2: crashed: INFO: task hung in linkwatch_event
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in linkwatch_event
run #5: crashed: INFO: task hung in addrconf_dad_work
run #6: crashed: INFO: task hung in linkwatch_event
run #7: crashed: INFO: task hung in addrconf_dad_work
run #8: crashed: INFO: task hung in linkwatch_event
run #9: crashed: INFO: task hung in linkwatch_event
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 22039f1d921ac319bfaf8500e1f8b11c81c2faf9b0e4cff869c78dd23aeceacf
run #0: crashed: INFO: task hung in addrconf_dad_work
run #1: crashed: INFO: task hung in linkwatch_event
run #2: crashed: INFO: task hung in addrconf_dad_work
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in addrconf_dad_work
run #5: crashed: INFO: task hung in addrconf_dad_work
run #6: crashed: INFO: task hung in addrconf_dad_work
run #7: crashed: INFO: task hung in addrconf_dad_work
run #8: crashed: INFO: task hung in addrconf_dad_work
run #9: crashed: INFO: task hung in addrconf_dad_work
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 1f3fcd46236b982eaf0969a6841dedff8396c6e7238623da02d67ea34ac0c8b8
run #0: crashed: INFO: task hung in addrconf_dad_work
run #1: crashed: INFO: task hung in addrconf_dad_work
run #2: crashed: INFO: task hung in addrconf_dad_work
run #3: crashed: INFO: task hung in addrconf_dad_work
run #4: crashed: INFO: task hung in addrconf_dad_work
run #5: crashed: INFO: task hung in addrconf_dad_work
run #6: crashed: INFO: task hung in addrconf_dad_work
run #7: crashed: INFO: task hung in linkwatch_event
run #8: crashed: INFO: task hung in linkwatch_event
run #9: crashed: INFO: task hung in addrconf_dad_work
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 507d21163ecb853ad09c401690469692fbf3c81978bcfc11615e0c32d5ef9e1f
all runs: crashed: INFO: task hung in rtnl_lock
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 3d6285d7c4562b4fa5ee8fdb0ef28361ea56c5bf028f440d9590067e2ac8e9d9
all runs: crashed: INFO: task hung in rtnl_lock
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 973bc50ab0745e47a34eba493a9e3b2bf6f707a1b048b7b56094d272b4668980
all runs: crashed: INFO: task hung in rtnl_lock
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: a61a4e4084e95907bf71b7ddc3fe80a3f2818408559001e8b60aabafb99761e4
all runs: crashed: INFO: task hung in rtnl_lock
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 92ca8f285bdf77199b684b4ea246a49e438110e41a71886013c1270fbe406327
all runs: crashed: INFO: task hung in rtnl_lock
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 66433e189bf3d23881ea56969930ba5793eef9e517fefb5972c512b31b6c14db
run #0: crashed: INFO: task hung in rtnl_lock
run #1: crashed: INFO: task hung in rtnl_lock
run #2: crashed: INFO: task hung in rtnl_lock
run #3: crashed: INFO: task hung in rtnl_lock
run #4: crashed: INFO: task hung in rtnl_lock
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnetlink_rcv_msg
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 91024da90700b5412d6242a0ab5ac82f599facc4b8471c83d231bec93278131f
all runs: OK
# git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 7596 revisions left to test after this (roughly 13 steps)
[db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0
kernel signature: 9d7fb78ea0df2b08469c628630ee81291194eee3245a65a3443af64b0ebc9109
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: INFO: task hung in rtnl_lock
run #4: crashed: INFO: task hung in rtnl_lock
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad db06f826ec12bf0701ea7fc0a3c0aa00b84417c8
Bisecting: 4493 revisions left to test after this (roughly 12 steps)
[0a957467c5fd46142bc9c52758ffc552d4c5e2f7] x86: i8259: Add missing include file
testing commit 0a957467c5fd46142bc9c52758ffc552d4c5e2f7 with gcc (GCC) 8.1.0
kernel signature: 3df8ab36eb16e560449fe13b9be369daea7ac6d9663af7bed7a610fbcdd810cd
all runs: OK
# git bisect good 0a957467c5fd46142bc9c52758ffc552d4c5e2f7
Bisecting: 2289 revisions left to test after this (roughly 11 steps)
[9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0
kernel signature: 24affa7cb4e254667dfc03130610dff27a65d1b79bf67472268191d0e2a022fd
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: INFO: task hung in rtnl_lock
run #2: crashed: INFO: task hung in rtnl_lock
run #3: crashed: INFO: task hung in rtnl_lock
run #4: crashed: INFO: task hung in rtnl_lock
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad 9a76aba02a37718242d7cdc294f0a3901928aa57
Bisecting: 1088 revisions left to test after this (roughly 10 steps)
[a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8] Merge tag 'wireless-drivers-next-for-davem-2018-07-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8 with gcc (GCC) 8.1.0
kernel signature: df305ac43bfe002ab0cb2f96be06c048a97a3bd293e713ab9c343e70ac910d99
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: KASAN: use-after-free Read in __tcf_action_put
run #4: crashed: INFO: task hung in rtnl_lock
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad a527d3f728bfdb6c30c8ecc0b58e695d05d42fc8
Bisecting: 557 revisions left to test after this (roughly 9 steps)
[f9520b86dc22b6ac0ad2926cfa334e9fecb68a12] be2net: remove unused tx_jiffies field from be_tx_stats
testing commit f9520b86dc22b6ac0ad2926cfa334e9fecb68a12 with gcc (GCC) 8.1.0
kernel signature: 0d549bf0129eae3b9e5463fbce3ffa5093f96fe548e83e813b809d24eec3740f
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: INFO: task hung in rtnl_lock
run #4: crashed: INFO: task hung in rtnl_lock
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad f9520b86dc22b6ac0ad2926cfa334e9fecb68a12
Bisecting: 278 revisions left to test after this (roughly 8 steps)
[335c997dce5c448ee06b3fd4dfe49fc7279f73ce] r8169: remove old PHY reset hack
testing commit 335c997dce5c448ee06b3fd4dfe49fc7279f73ce with gcc (GCC) 8.1.0
kernel signature: 7f9ed3c1ab5e42f1f8a66a97f26251a28c0a824f6f7470fbd3487b115053673c
all runs: OK
# git bisect good 335c997dce5c448ee06b3fd4dfe49fc7279f73ce
Bisecting: 138 revisions left to test after this (roughly 7 steps)
[ab8565af68001ac5f9331daa311938ead3eb5636] Merge branch 'IP-listification-follow-ups'
testing commit ab8565af68001ac5f9331daa311938ead3eb5636 with gcc (GCC) 8.1.0
kernel signature: 29ee819f95767b02eb25ceff13e58d9381bcbdc70285b4850fc4fa7eb971bc56
all runs: OK
# git bisect good ab8565af68001ac5f9331daa311938ead3eb5636
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[d7be97756f8a4874ac17003de5843c742dd84153] net-sysfs: Drop support for XPS and traffic_class on single queue device
testing commit d7be97756f8a4874ac17003de5843c742dd84153 with gcc (GCC) 8.1.0
kernel signature: d07dd18bb916234033a80b40e02fa09d86a543d7f3b52b0e0fc80b622df2c2de
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: KASAN: use-after-free Read in __tcf_action_put
run #4: crashed: KASAN: use-after-free Read in __tcf_action_put
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad d7be97756f8a4874ac17003de5843c742dd84153
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[d30695126f0ac5bca85d09c7946ad9a1deab5d25] net/sched: flower: Dump the ethertype encapsulated in vlan
testing commit d30695126f0ac5bca85d09c7946ad9a1deab5d25 with gcc (GCC) 8.1.0
kernel signature: a2a7436450dfce107569d0541e6a91ae7cf576567b78cd096bcacccfb6e16a0f
all runs: OK
# git bisect good d30695126f0ac5bca85d09c7946ad9a1deab5d25
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[b409074e6693bcdaa7abbee2a035f22a9eabda53] net: sched: add 'delete' function to action ops
testing commit b409074e6693bcdaa7abbee2a035f22a9eabda53 with gcc (GCC) 8.1.0
kernel signature: 4552c7bcba9ab61c3cccc24aedeb48f64e9119dd15fc49b4a4feaaab53005bf7
all runs: OK
# git bisect good b409074e6693bcdaa7abbee2a035f22a9eabda53
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[45e0620d5eb15daa102e9212b92180adf2f4f0aa] mlxsw: reg: Introduce Flex2 key type for PTAR register
testing commit 45e0620d5eb15daa102e9212b92180adf2f4f0aa with gcc (GCC) 8.1.0
kernel signature: d06ff44b27930422b3bbd8bc282bb6167eb29dd641ea3e56b2fb37fe7dd2f643
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: KASAN: use-after-free Read in __tcf_action_put
run #4: crashed: KASAN: use-after-free Read in __tcf_action_put
run #5: crashed: INFO: task hung in rtnl_lock
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad 45e0620d5eb15daa102e9212b92180adf2f4f0aa
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[0190c1d452a91c38a3462abdd81752be1b9006a8] net: sched: atomically check-allocate action
testing commit 0190c1d452a91c38a3462abdd81752be1b9006a8 with gcc (GCC) 8.1.0
kernel signature: 2a8796896af2c91ceec96c48f06f7c693e80e367b56ddb874aede81c29e604d5
run #0: crashed: KASAN: use-after-free Read in __tcf_action_put
run #1: crashed: KASAN: use-after-free Read in __tcf_action_put
run #2: crashed: KASAN: use-after-free Read in __tcf_action_put
run #3: crashed: KASAN: use-after-free Read in __tcf_action_put
run #4: crashed: KASAN: use-after-free Read in __tcf_action_put
run #5: crashed: KASAN: use-after-free Read in __tcf_action_put
run #6: crashed: INFO: task hung in rtnl_lock
run #7: crashed: INFO: task hung in rtnl_lock
run #8: crashed: INFO: task hung in rtnl_lock
run #9: crashed: INFO: task hung in rtnl_lock
# git bisect bad 0190c1d452a91c38a3462abdd81752be1b9006a8
Bisecting: 1 revision left to test after this (roughly 1 step)
[4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2] net: sched: don't release reference on action overwrite
testing commit 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 with gcc (GCC) 8.1.0
kernel signature: 46cd783aaeec6cf9dfda087e73d41de7c89a0d4e51c1d4de152a8ed75dda56a8
all runs: crashed: KASAN: use-after-free Read in __tcf_action_put
# git bisect bad 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[16af6067392c40e454e49eec834843ab03643d96] net: sched: implement reference counted action release
testing commit 16af6067392c40e454e49eec834843ab03643d96 with gcc (GCC) 8.1.0
kernel signature: a86f8c9af0931d305ab887beb2fc7020d82ffe15b832ca1e2f2db29df4f78f03
all runs: OK
# git bisect good 16af6067392c40e454e49eec834843ab03643d96
4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 is the first bad commit
commit 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Thu Jul 5 17:24:30 2018 +0300

    net: sched: don't release reference on action overwrite
    
    Return from action init function with reference to action taken,
    even when overwriting existing action.
    
    Action init API initializes its fourth argument (pointer to pointer to tc
    action) to either existing action with same index or newly created action.
    In case of existing index(and bind argument is zero), init function returns
    without incrementing action reference counter. Caller of action init then
    proceeds working with action, without actually holding reference to it.
    This means that action could be deleted concurrently.
    
    Change action init behavior to always take reference to action before
    returning successfully, in order to protect from concurrent deletion.
    
    Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/act_api.c        |  2 --
 net/sched/act_bpf.c        |  8 ++++----
 net/sched/act_connmark.c   |  5 +++--
 net/sched/act_csum.c       |  8 ++++----
 net/sched/act_gact.c       |  5 +++--
 net/sched/act_ife.c        | 10 +++++-----
 net/sched/act_ipt.c        |  5 +++--
 net/sched/act_mirred.c     |  5 ++---
 net/sched/act_nat.c        |  5 +++--
 net/sched/act_pedit.c      |  2 +-
 net/sched/act_police.c     |  8 +++-----
 net/sched/act_sample.c     |  8 +++-----
 net/sched/act_simple.c     |  5 +++--
 net/sched/act_skbedit.c    |  5 +++--
 net/sched/act_skbmod.c     |  8 +++-----
 net/sched/act_tunnel_key.c | 11 ++++-------
 net/sched/act_vlan.c       |  8 +++-----
 17 files changed, 50 insertions(+), 58 deletions(-)
culprit signature: 46cd783aaeec6cf9dfda087e73d41de7c89a0d4e51c1d4de152a8ed75dda56a8
parent  signature: a86f8c9af0931d305ab887beb2fc7020d82ffe15b832ca1e2f2db29df4f78f03
revisions tested: 27, total time: 5h50m34.837260409s (build: 2h33m10.951921164s, test: 3h14m28.812183935s)
first bad commit: 4e8ddd7f1758ca4ddd0c1f7cf3e66fce736241d2 net: sched: don't release reference on action overwrite
recipients (to): ["davem@davemloft.net" "jiri@mellanox.com" "marcelo.leitner@gmail.com" "vladbu@mellanox.com"]
recipients (cc): []
crash: KASAN: use-after-free Read in __tcf_action_put
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
==================================================================
BUG: KASAN: use-after-free in __tcf_action_put+0xee/0x100 net/sched/act_api.c:104
Read of size 8 at addr ffff88008d5d7160 by task syz-executor.1/7779

CPU: 1 PID: 7779 Comm: syz-executor.1 Not tainted 4.18.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __tcf_action_put+0xee/0x100 net/sched/act_api.c:104
 __tcf_idr_release+0x6a/0x90 net/sched/act_api.c:142
 tcf_idr_release include/net/act_api.h:162 [inline]
 tcf_ife_init+0x4c4/0x14f0 net/sched/act_ife.c:549
 tcf_action_init_1+0x657/0xb30 net/sched/act_api.c:796
 tcf_action_init+0x189/0x5c0 net/sched/act_api.c:865
 tcf_action_add net/sched/act_api.c:1250 [inline]
 tc_ctl_action+0x375/0x63d net/sched/act_api.c:1299
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f159d8bbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002cec0 RCX: 000000000045d5b9
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffec71d34ff R14: 00007f159d8bc9c0 R15: 000000000118cf4c

Allocated by task 7779:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x151/0x400 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 tcf_idr_create+0xaf/0x720 net/sched/act_api.c:372
 tcf_ife_init+0x336/0x14f0 net/sched/act_ife.c:494
 tcf_action_init_1+0x657/0xb30 net/sched/act_api.c:796
 tcf_action_init+0x189/0x5c0 net/sched/act_api.c:865
 tcf_action_add net/sched/act_api.c:1250 [inline]
 tc_ctl_action+0x375/0x63d net/sched/act_api.c:1299
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7779:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x280 mm/slab.c:3813
 free_tcf net/sched/act_api.c:90 [inline]
 tcf_action_cleanup+0x110/0x150 net/sched/act_api.c:99
 __tcf_action_put+0xbe/0x100 net/sched/act_api.c:112
 __tcf_idr_release+0x6a/0x90 net/sched/act_api.c:142
 tcf_idr_release include/net/act_api.h:162 [inline]
 tcf_ife_init+0x1165/0x14f0 net/sched/act_ife.c:545
 tcf_action_init_1+0x657/0xb30 net/sched/act_api.c:796
 tcf_action_init+0x189/0x5c0 net/sched/act_api.c:865
 tcf_action_add net/sched/act_api.c:1250 [inline]
 tc_ctl_action+0x375/0x63d net/sched/act_api.c:1299
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:651
 ___sys_sendmsg+0x647/0x950 net/socket.c:2125
 __sys_sendmsg+0xd9/0x180 net/socket.c:2163
 __do_sys_sendmsg net/socket.c:2172 [inline]
 __se_sys_sendmsg net/socket.c:2170 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2170
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88008d5d7140
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 32 bytes inside of
 256-byte region [ffff88008d5d7140, ffff88008d5d7240)
The buggy address belongs to the page:
page:ffffea00023575c0 count:1 mapcount:0 mapping:ffff8800aa8007c0 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000235e608 ffffea00023924c8 ffff8800aa8007c0
raw: 0000000000000000 ffff88008d5d7000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88008d5d7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88008d5d7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88008d5d7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                       ^
 ffff88008d5d7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88008d5d7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================